Electronics manufacturers send warning shot to front of CMMC
The Cyber Security Maturity Model (CMMC) certification program recently took a significant step forward by naming the first third-party certified assessment bodies.
Kratos and Redspin have successfully completed the CMMC Maturity Level 3 (ML3) assessment challenge conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIB CAC) of the Defense Contract Management Agency and other requirements. administrative and personal.
“Achieving this milestone in the establishment and operation of the CMMC ecosystem is an important milestone and we look forward to authorizing additional C3PAOs in the days and weeks to come,” said the CEO of CMMC-AB, Matthew Travis, in a statement.
The designation of C3PAOs is the first step towards CMMC certification of companies. The question now is whether the suppliers will decide that it is not worth the time or the cost.
This is potentially the case with electronics manufacturers.
A new IPC survey, an industry association representing electronics manufacturers, found that nearly a quarter of all respondents said the cost and burden of CMMC could force them out of the Defense Industrial Base (DIB).
About half of IPC’s 3,000 members are in the United States, and many of them serve the DoD market.
Chris Mitchell, vice president of global government relations at IPC, said in an interview with Federal News Network that CMMC could cause another contraction of an industrial base that has shrunk over the past 20 years.
“This is important because we have already seen a huge contraction and reduction in the number of electronics manufacturers here in the United States. To give you a sense of the kind of trajectory we’ve taken as a country, over the past 20 years or so we’ve gone from over 2,000 PCB manufacturers in the United States to less than 200. And that number is expected to decline further, ”Mitchell said. “We were hearing so many of our members worrying about CMMC. It’s important to understand that manufacturing electronics is generally a low-margin business, so even small increases in additional costs can really affect a company’s competitiveness. As companies begin to undertake assessments and complete other tasks necessary for certification, many have told us that the costs are much higher than they expected, and that there are still had a lack of clarity regarding the requirements and what the timeline was.
He added that the combination of a shrinking industrial base combined with the costs and burden of CMMC could lead the Defense Department to face a severely weakened industrial base.
To take it a step further, almost all weapon systems, all back-office processes and all communication tools rely on the sector.
The month of January of the DoD report to Congress on its industrial base capabilities highlighted this problem.
“Dependence on foreign sources for semiconductor products continues to pose a serious threat to the economic prosperity and national security of the United States, as much of the critical infrastructure depends on microelectronic devices,” indicates the report. “This threat will become more pronounced as emerging technology sectors, such as the Internet of Things (IoT) and AI, require commodity quantities of advanced semiconductor components.”
The DoD also recognized the market contraction. The Pentagon said in the report that in the aerospace and defense sector, electronics accounted for 23% of the total value of M&A deals in the first half of fiscal 2020, or about 15%. , $ 4 billion. The most notable of these mergers and acquisitions were the acquisition by BAE Systems Inc. of Collins Aerospace-Military – Military Global Positioning System and the acquisition by Teledyne Technologies Inc. of Photonics Technologies SAS.
Mitchell said the potential impact is not just for prime contractors, but the flow to sub-contractors as well.
“As far as the supply chain is concerned, it is already under heavy constraints. We had a call with an industry rep, unrelated to CMMC, and a big part of that discussion was the fact that we are already struggling to source parts, components and materials, ”he said. -he declares. “I think CMMC without some adjustments is likely to exacerbate these concerns.”
More than a third of respondents say CMMC will weaken the DIB, and 41% say the requirements will cause further problems in their supply chain. IPC received 108 responses from subcontractors, PCB manufacturers, original equipment manufacturers and suppliers who said they plan to undergo a CMMC assessment within the next five years.
Despite their concerns, IPC has found that some of its members, including original equipment manufacturers (OEMs), prime contractors and others, are already starting to implement CMMC.
Another hurdle for electronics manufacturers is the cost of CMMC. The survey found that most providers say they expect and are willing to spend over $ 50,000 on CMMC preparation. Almost a third (32%) say it will take them one to two years to prepare for the CMMC assessment.IPC found that more than half of vendors say that if the implementation costs more than $ 100,000, CMMC would be too expensive.
“DoD’s own cost analysis estimated the cost of a CMMC Maturity Level 3 (ML3) certification to be over $ 118,000 in the first year. This means that the DoD’s own estimate of CMMC compliance costs is too high for 77 percent of respondents to the IPC survey, ”the IPC found.
The DoD estimates the cost to obtain CMMC Level 3 certification at approximately $ 118,000.
But Mitchell said that estimate appears to be low.
“These companies that go through this process are reporting much, much higher cost estimates, exceeding $ 300,000 in some cases, and these are not large companies that we are talking about,” he said. “I think the fear on our part is that as companies go through this process, cost estimates are likely to increase and therefore the tendency to exit the defense market may also increase. . “
What the survey did not answer is how important the DoD market is to these electronics manufacturers, and is it a market big enough that they spend money on CMMC ? For example, the Center for Strategic and International Studies (CSIS) estimated that the military would spend more than $ 5.6 billion on communications and electronics equipment last year. Overall, CSIS predicts that funding for communications, sensors and electronics will increase by 21% by 2022.
More clarity, transparency needed
Is a market of $ 10 billion to $ 15 billion big enough for these companies to spend a few hundred thousand each to gamble? Or isn’t the potential as enticing as the globalization of the electronics industry means hundreds of billions more and the DoD isn’t worth it?
While IPC may not necessarily be able to answer them, it is clear that the decline in the number of contractors is of concern to both DoD and the industry as a whole.
The Defense Advanced Products Research Agency (DARPA), for example, initiated in 2017 the Electronics Resurgence Initiative (ERI) in response to several technical and economic trends in the microelectronics sector.
Through this program, DARPA is funding work in seven areas, including accelerating innovation in artificial intelligence hardware to make decisions faster at the edge, lowering electronics design costs, and overcoming challenges. security threats in the hardware lifecycle.
Mitchell said the IPC would like the DoD to provide more clarity and transparency around CMMC, especially when addressing reciprocity with existing industry standards.
“There are many industry standards in existence that have actually done a pretty good job of strengthening the security of the industrial base. IPC, in fact, has worked closely with the Department of Defense to establish IPC-1791, which is a trusted vendor standard that also incorporates into its cybersecurity requirements. Companies have now been working for more than two years to meet this standard and be validated. As a result, the PCB and PCB assembly industries are more robust today, are safer today than they were two years ago, ”he said. “We would love to see if it’s in the context of CMMC, or outside of it. We would like to see the DoD put more emphasis on exploiting these standards. I think they reflect an industry commitment to ensuring the security of our industrial base, both physically and cyber.
Interestingly enough, the DoD even refers to the IPC-1791 standard in its January report to Congress, saying that “a strategy is currently under development and will need to be implemented by January 2023.”
Mitchell said the IPC shared the results of the investigation with the DoD, as well as with lawmakers.
He said the goal is to use the data to help convince the DoD to work more closely with industry to determine how companies can achieve CMMC certification in a way that is neither too burdensome nor too expensive. . He said the other issues are clarifying how to get compliance beyond hiring consultants.
“Let’s take every opportunity to try to take advantage of existing standards that are already being used by the industry to determine if we can reduce some of the costs that way as well,” he said. “From what I understand, there is a desire to standardize the entire industrial base. In many ways, if you talk to the industry, they think it’s a laudable goal. I think the challenge, of course, is that it’s not just in the case of security, but both in terms of security and quality as a whole, as well as in many other areas. These companies spend enormous resources in order to have operations validated by one measure or another. CMMC adds huge costs to companies that operate on low margins. So to the extent that we can take advantage of existing standards, we think that’s a very good approach.
The concern of IPC members for CMMC is not just a sector. While the DoD has done a good job talking about CMMC, the number of unanswered questions or what the way forward looks like is increasing. The DoD must make public how it will update its plan for CMMC based on Assistant Secretary Kathleen Hicks’ review that ended in May and crush some of the silly rumors that have started to gain traction.